The ability to listen to what’s going on around you. It’s a crucial skill on a number of levels, and can answer a number of questions based upon what you hear, such as:
1. How close is my OPFOR?
2. Are they OPFOR?
3. What is their level of Experience?
4. Do they have a higher echelon they are communicating with?
Just like physical observation from a hide site, listening to radio chatter from the observation target can be quite telling. The questions listed are simply an example to formulate a baseline. You should create your own list based first on Who, What, Where, When, Why, and How.
Believe it or not, this can be done as expensively or frugally as you wish. A decent SUT SIGINT package can be as simple as one of these:
Pictured in order of expense is an AOR AR-mini wideband communications receiver($150ish), Radio Shack PRO-96($40 or so on the used market, I bought it new a long time ago), and everyone’s favorite chicom set, the UV-5R with extended battery($40 or so with large battery and longwhip antenna). Each of these can receive a large number of common signals that you’re likely to come across at the SUT level, and each can run on AA batteries. Naturally, the more cash you spend and work you put into it the better the results will be. The AOR is a great piece of kit but sadly discontinued; the Icom R5/6 is almost identical and carries a similar price. Both are rugged enough to survive most field conditions.
The old Radio Shack has served me well for a long time; I used it extensively in Afghanistan and wrote an article about it in the current edition of the Signal-3 newsletter (https://sierra31wyo.wordpress.com/). Mine survived crawling up and down southern mountain ranges in that hostile land, so while not rugged by design it works when care is taken to protect it. They’re cheap these days and they work…mine’s beginning to show it’s age and has some issues with desensitization; but it’s still getting it done. And if it quits tomorrow it’s more than served it’s purpose.
The last device is the omni-present Baofeng UV-5R. I’m not going into the whole debate over it; there’s better radios out there for sure. It does however listen fairly well for fairly little money, even more so with a bit better of an antenna. One of the attributes of the 5R is the battery life, and with the extended battery it will last some time just monitoring. It pushes 4-5w(depending on specific model) out of a small form factor like most HTs these days; compare this capability to the PRC-77 or even the ASIP for those who’ve humped it. Your back will thank you. Disable the stupid flashlight; that feature will get your patrol compromised fast. Program it with all of the common frequencies in use in your area; license free, licensed, public safety, whatever…you should be actively listening now to determine what these are. It scans slow but it works; so you should really be formulating a short list of active frequencies in use now in your AO to work around the limitations of your equipment.
Searching for the Frequencies
In the rural South, almost every family owns a police scanner of some kind, and it’s always on. It’s cheap entertainment, a form of jungle telegraph for the latest gossip, and a quick report on the local severe weather threat when warnings are issued from the Sheriff’s Deputies out looking for current conditions. Prior to the digital upgrades of equipment, everyone knew the frequencies by heart as well. These days it’s not quite as simple.
There’s two methods for searching the bands- Band Search and Point Search. As the name implies, a Band search sweeps the entire spectrum of a given band, and the Point Search narrows it down to a handful of frequencies. Band Searches take a lot of time; it should be the first thing done when arriving in a new area and done a few times a week. With your handy dandy notebook you carry everywhere with you, write down everything that breaks squelch and any data you gather. This is your information from which you develop your Point Search. Think lantern vs. penlight here.
These searches should be done before your Patrol ever steps off. You must know as much about your AO as possible before you move out if you want to survive contact. Before you’re knee deep in the bush you should know who and what breaks squelch and on what frequencies. Knowing this, now you can do three things; listen to the OPFOR, limit the OPFOR’s communications capabilities(electronic warfare, or jamming) to create chaos, and most importantly, communicate by methods they cannot.
Build Your Capabilities; Never Stop.
The better you build your capabilities now the easier it will become later one. Do it now. Even the most expensive Communication Receiver I’ve listed is not going to break the bank; quit smoking or drinking beer for a couple weeks and you’ll easily be able to afford it. In addition, use your gear on a regular basis. There’s no reason not to. Cut off the TV and switch on the scanner along with your brain.
An Introduction to SIGINT - Signals Intelligence
By TiCom...Conn. Survivalist Alliance
A common police scanner is one of the most potentially useful tools a hacker-survivalist could have. Scanners have come a long way from bulky, crystal-controlled affairs with a handful of channels. Contemporary scanners fit in the palm of your hand, have a thousand keyboard-programmable channels, and have wide-band frequency coverage from 100 Khz. To 2 Ghz. Certain models even have the ability to follow communications on trunked radio systems used by government and business. For the uninitiated, a scanner is a VHF/UHF communications receiver that has the ability to step through multiple channels or scan , stopping on a frequency it detects traffic on. Scanners monitor frequencies used by government agencies, the military, public safety, emergency services, utility companies, businesses, and wireless telecommunications devices. Some of the more deluxe units even cover the HF shortwave region. While the use of digital communications systems and encryption is on the rise, there is still plenty of monitorable activity for the forseeable future.
The military has an entire discipline dedicated to the collection of intelligence by monitoring communications:
COMINT (Communications Intelligence). COMINT is a subset of SIGINT (Signals Intelligence). The military gives COMINT a Top Secret/SCI security classification, but it can be done by any individual with a clue and a $100 receiver available at a pawn shop. There is plenty of information available via open sources on the net and elsewhere. Back in my reserve component days, I was giving this E-7 98C (A Sergeant First-Class SIGINT Analyst for you civilians.) in my unit a ride in the old Russian Trawler Crown Vic , and remember the dead silence that resulted after explaining the vehicles commo package . (Consisting of an Icom IC-2000 2 meter mobile, Kenwood TK-805D UHF Mobile, Uniden HR-2510 10 meter mobile, VHF Low-Band Motorola Maxtrac, and Realistic PRO-2026 Scanning Receiver.) Another neat little-known fact about Military SIGINT is that in order to become a SIGINT Analyst one does not only have to have a very high ASV AB score, but also receive a qualifying score on the AAT (Analytical Aptitude Test); which has a 90% failure rate among those tested.
Anyway, if you're interested in non-classified material on Intelligence Analysis, download a copy of\Army Field Manual. PM 34-3.
There's a lot of good equipment out there, and selection is pretty much a matter of personal preference and operational requirements. For those living in areas whose public safety agencies use a Motorola or GE/Erlccson Trunked system my recommendation would be the Uniden (Bearcat) BC-245XLT Trunktracker. This handheld is a refinement of the excellent BC-235XLT, which only was capable of monitoring Motorola systems. If you're looking for a really small wide-band unit with great audio examine the Icom R-2. This unit has coverage from 500 Khz, to 1300 Mhz. (minus cellular). The Uniden BC-3000, Icom R-IO and Alinco DJ-XI0 are also nice full-featured wide-band handheld units. There are also computer-controlled units such as the Winradio, Icom PCR-lOOO, & Optoelectronics Optocom. While they are great hacker-type units I tend to lean away from them due to the simple expedient that you can't throw them in a tool bag or bri~fcase, take them out somewhere, and have them ready to go. .
Due to Federal law , there are no new scanners with cellular phone coverage available in the United States to ordinary civilians. Those of you looking for a unit with unrestricted 800 Mhz. coverage will have to check out used equipment sources such as hamfests and pawn shops. The two models that still reign supreme are the Realistic PRo-2006 base and PR0-43 handheld. Good luck finding one. These days, scanners sold by Radio Shack are not only overpriced, but lacking in performance. There are much better sources available. The one thing, however, that I would get from Radio Shack is a copy of the book, Police Call. It is one of the best frequency directories you will find for any given area, along with the FCC's web site. (More on that in a moment.) A particular area might have a locally published directory, like The Official Connecticut Scanner Frequency Directory. Your local radio shop will most likely have information regarding directories that may go into greater detail than Police Call for your area.
Eventually, the serious scanner hobbyist gets the urge to go beyond listening to the standard widely available public safety and business frequencies. They get the desire to look for the good stuff that you will not find listed in Police ~all or any of the other scanner frequency directories. The object of the hobbyist's listening might also be : something mundane like the local mall security force, but a search through the directories fails to uncover their operating frequency. In either of these situations, the hobbyist can resort to using the various techniques detailed in this article to acquire an elusive frequency.
There are two basic approaches to finding frequencies. The first approach is to go on an electronic fishing expedition. This is how hobbyists operate most of the time. You simply take a small piece of the frequency spectrum that your radio is capable of receiving and listen to see what you can find. The second approach is to pick a specific target to be the focus of your monitoring attention and attempt to find the frequencies they use. During the course of using this second approach you will find other users; which you might find interesting later. I recommend that you use the first approach once in a while. Knowing the usual activity around you will help determine how far you can listen, and especially important, when a transmission out of the ordinary appears. I recommend you acquire frequency directories for your area. The most common one is Police Call. Police Call is available at Radio Shack or by mail order. It is excellent for public safety listings, but only average when it comes to identifying businesses. There are other excellent directories available for particular local areas.
For hobbyists in the states of Connecticut, New York, and Massachusetts I recommend Scanner Master and Official (insert name of state) Frequency Guide frequency directories. The best federal frequency directory in print form still remains the Top Secret Registry of US Government Radio Frequencies. If you have access to the Fidonet scanner message base, Roger Cravens periodically posts his very large, superlative list of federal frequencies to that message base. A frequency directory will identify the normal users of an area. This is useful in preventing you from wasting hours analyzing a common signal, when you should be analyzing something else.
The tool that every monitoring hobbyist has is the search function on their scanner. Most of them however, do not know how to use it. You should know the frequency band that your target uses. You should have an idea of where in that band they would be operating. You should search probable areas in small sections.
Knowing what band a target operates on could be a matter of general knowledge. If your local police's dispatch channel is on VHF-high band, then it is a good bet their unlisted tactical channel is also there. It can,also be determined by looking at the antennas on vehicles; unless the vehicle has a disguised antenna. A VHF-low band antenna will be a 60 to 100 inch whip or a 35 inch whip with a 5 inch coil on the bottom. A VHF-high band antenna will be either an 18 inch whip or a 40 inch whip with a 3 inch coil on the bottom. UHF band antennas will be either a 6 inch whip or a 35 inch whip with a plastic band in the middle. 800 Mhz. antennas are either a 3 inch whip or a 13 inch whip with a pig tail coil in the middle. A cellular phone antenna is a common example. I suggest ordering the catalogs of various antenna manufacturers to get a visual idea of what antennas on each of the bands look like. You can do the same thing with handie-talkie antennas. A VHF-low band antenna will be about a foot long. A VHF-high band antenna will be about six inches long and about as thick as your index or middle finger. UHF antennas will be either 6 inches long and slender compared to the VHF-high band antenna, or three inches long. 800 Mhz. antennas are about an inch and a half long.
Once you know the frequency band, you determine where in that band they might be operating. In most non- federal cases this is as easy as looking at the Consolidated Frequency List in the back of Police Call. The two types of users you might have problems with are police departments and the federal government. Police departments can use any public safety frequency for tactical communications on a non-interference basis. The FCC also licenses local government services for frequencies allocated to a different service; if the frequency does not have a licensee already assigned to it. For example, a fire department being licensed to a frequency allocated for highway maintenance. The Intergovernmental Radio Advisory Committee (IRAC) handles licenses for the federal government. lRAC listings have been exempt from the Freedom of Information Act since 1983. The mundane agencies have been using the same frequencies for the past 13 years, but some of the more interesting ones have changed frequencies. The IRAC listings in the Consolidated Frequency List are still fairly accurate. Remember that they are only fairly accurate.
You should search a range that covers three to five seconds, and with the scanner's fastest speed. This seems to be the average duration for a radio transmission. Lets say you are searching the VHF-High band with a scanner that does 50 steps a second. Channel spacing for VHF-high band is 5 KHz. You should search your target areas in sweeps of 750 KHz. to 1.25 MHz. Search a range for one to two weeks at different times; to catch everything in that range.
One little known trick is to use one of those old tunable public safety band receivers that predate scanners. An example would be the Realistic PRO-2. It covered 30-50 MHZ. and 152-174 MHz. You can pick one up at a flea -market or h.amfest for as little as $5. Radio Shack still sells a multiband portable (12-649) that covers the aircraft and VHF-high bands, but at $100 I think it's overpriced. While these units lack the sensitivity and selectivity of a scanner, they are excellent for doing high-speed searching. Once you get a hit, you will have narrowed the possible frequency range down to roughly 500 KHz. You then use your scanner's search function to find the exact frequency. They are also good dedicated single channel receivers for things like NOAA weather radio and the local fire department's dispatch frequency. If you ever find an old multiband portable that covers UHF-TV, remember that channels 70-83 are now the 800 MHz. public safety, business, and cellular phone band.
If a signal is in your location's coverage area and your scanner is capable of receiving the frequency, you will eventually find it by searching. This will take time if you do it properly. If you are in a situation where you desire a faster approach, you can use a frequency counter.
A frequency counter is probably one of the most useful tools a SIGINT hobbyist can own. A frequency counter works by locking on the strongest radio signal in an area, and displaying the frequency. I strongly suggest that you bite the bullet and buy the Optoelectronics Scout if you are going to get into this facet of SIGINT. Other frequency counters cost less, but lack the features the Scout possesses. These features make a world of difference between simply being a piece of test equipment, and being a SIGINT tool. The Scout will automatically capture a frequency, and store up to four hundred of them in memory. When the Scout captures a frequency, it will either beep or discreetly vibrate. In each of these memories, the Scout stores up to 255 hits. This lets you know how active a given frequency is. The scout has a CI-V interface. The CI-V interface connects to a PC for automatic frequency logging, or to a receiver for reaction tuning. With reaction tuning, the receiver automatically tunes to the frequency the Scout captures. I used a Radio Shack frequency counter for SIGINT work before I bought a Scout. It had adequate sensitivity, but required constant viewing and a quick writing hand in order to use effectively. It was also very difficult to use while driving.
Frequency counters work in a radio transmission's near field. This means that you will generally have to be within one thousand feet of the target transmitter in order to acquire the frequency. The following table shows the average distances one will acquire a particular type of transmitter:
There are a few things you can do to enhance a frequency counter's operation. The first technique involves antenna usage. The standard telescoping whip is good for many operations, but you can do better. With the standard whip antenna, the Scout will pick up a cellular phone at approximately one hundred fifty feet. Hook it up to a 5/8 wave 800 Mhz. antenna, and the range increases to approximately three hundred feet. A high-gain antenna designed for the band of interest will increase your range on desired frequencies and reduce interference from undesired ones. If you use a directional antenna, such as a yagi, you will be able to select a particular target location to investigate, and eliminate interference from another location. The second technique is using filters. Using filters will block out undesired frequency ranges and pass desired ones. An FM broadcast notch filter is very useful. Optoelectronics sells the NlOO; which I recommend. FM broadcasters are a major source of undesirable interference, and having one nearby will cause your counter to lock up on the broadcast station's frequency.
By using these techniques, you will find the frequencies you desire. How quickly you find a frequency depends on your skill as a SIGINT hobbyist and how much the target uses their radios. You can acquire a target such as a mall security force in as little as thirty seconds. This was how long I had to loiter near a help desk with a frequency counter before a security officer keyed up a radio. Some of the less active federal agencies can take a week or two before you can tag them. If you do not find the frequency, there are two possibilities. The first is that your target either does not use radios or uses them very infrequently. I will assume that your target does indeed use radio communications. The only solution to tagging an infrequent radio user is persistence and patience. Eventually they ; will key up and you will have their frequency. The second possibility is that you found their frequency, but failed to identify it properly. Learn who operates on what frequency ranges. Listen to what you have found during previous SIGINT attempts over a period of time to determine who it is you have found. My SIGINT experiences have taught me that sometimes the true nature of the parties using a frequency may take a while to become apparent. Certain users use encrypted or spread spectrum (frequency hopping) communications. Receiving spread spectrum communications is at this time beyond the ability of the average hobbyist. As I write this I can hear some of my friends telling me Lets not go there. . A little birdie told me, however, that a certain radio hobbyist organization in Connecticut publishes an excellent introductory-level technical text. Encrypted communications not only present a similar technical difficulty, but are also illegal to listen to under the Electronic Communications Privacy Act. Encrypted communications system users will sometimes have equipment difficulties and operate in the clear. A patient listener will wait for this opportunity.
I find the thrill of exploring the airwaves to see what I can find to be one of the more enjoyable aspects of my monitoring hobby. There are so many different users of the radio spectrum, spanning a broad range of operations, that it's impossible to become bored. Every time I activate the search function on my scanner, I seem to discover something new. I hope that this article will let you share the thrill of this exploration.
Introduction to Signal Analysis
(This article originally appeared in Volume 3, Number 7 July/August 1999 issue of Scanning USA Magazine.)
In past installments of Private Sector SIGINT, I have discussed the techniques of finding frequencies, certain frequency ranges that may yield desirable results when searched, various pieces of equipment that are of assistance to the SIGINT hobbyist, and some of the more interesting users of the RF spectrum. Now, as Bruce Bethke said in his novel Headcrash, Welcome to the next level.
For this column, we will assume that you, in the course of your SIGINT hobby have come across a genuine unidentified ( unid ) user while searching the spectrum. You've checked all the scanner frequency lists, e-mail lists, web sites, and Usenet postings and have come up with nothing. You wish to identify the unid, and determine the extent of its communications netWork. To do this, you ask the following questions:
A Frequency (or talkgroup/subjleet ifmonitoring a trunked system) A PLlDPL tone, if any? Single PL/DPL used, or multiple? A Scrambled or clear? Type of scrambling: digital or analog? A How many stations do you hear? A How do they identify themselves? A Signal strength of stations communicating? A What are they talking about?
The first five characteristics are noted as soon as you discover the unid. You will have some initial information about the others, but as time goes on you will acquire more information. What you should be doing now is noting what information you do have on the unid. Some people like using a computer database, others like 3x5 index cards. The more info you have, the easier it'll be to identify the unid.
The frequency in question can help tell you the approximate range, extent and purpose of the unid's communications net. For example, the VHF low-band would likely be used for regional communications between base stations and maybe mobile units. UHF on the other hand, would be for short-range tactical-type communications between several mobiles and portables. UHF portables are limited to a few miles. A VHF low-band base station can communicate a couple hundred miles under the right circumstances. What other identified users operate on nearby frequencies? For example, the Connecticut State Police employ several frequencies in the 42 MHz. Region that they are licensed for. They also use a number of frequencies in the same region for covert purposes that are not licensed. When the band conditions are right and the skip comes in you'll hear both their operations and SP communications from across the country on the same frequency.
PLlDPL tones are another identifier. Knowing the PLIDPL tone of an unid enables you to cross-reference it to other frequencies. If a police department uses a certain PL on their repeater, and an unid with surveillance activity is noted on the same band with the same PL, then it's quite possibly an unlisted channel for that police department.
Knowing how many different PLlDPL tones are in use on a given frequency tells you approximately how many different nets, or distinct groups of communicators, are active on that freq. On a low-power portable frequency such as 154.600 MHz., users will use a unique PLlDPL tone so they don't have to hear everyone else. There are only a limited number of PLlDPL tones however, so duplication by different nets is inevitable. Other users won '[ want to spend the extra money for radios with PLlDPL capability, run without it, and tolerate the other users on the channel breaking their squelch. If you hear an unid running DPL, then you can be 99% sure they are running real commercial and mobile equipment. There are only a couple ham rigs, such as the Yaesu FF-50, that have DPL.
Most radio communications businesses maintain community repeaters . The license for the system is in their name, and they rent airtime to various businesses and organizations. The individual users will not be licensed,' instead running under the radio shop's license. Each subscriber will be assigned his or her own PL/DPL tone on the repeater. The community repeater is being replaced with SMR (Specialized Mobile Radio) trunked systems, although they are still widespread. Motorola sold all their commercial SMR systems to Nextel who is gradually talking them off the air and replacing them with iDEN (digital) systems. This has prompted many radio users to seek out alternatives to Nextel. Many radio shops are setting up 400 MHz. LTR trunked systems, which will eventually replace their community repeaters. LTR is an open protocol. This not only means a wide availability of equipment for the business offering these services, but equipment for the monitoring enthusiast as well. There are also a few commercial SMRs running the GE/Ericsson EDA CS system on 800 MHz., and 800 MHz. Smartnet systems that are not owned by Nextel. Each system can have several dozen users on it, making them a nice challenge for the monitoring hobbyist who wishes to map them out.
If an unid is scrambled, you will at least know whether or not the scrambling method is analog or digital. If they are using a simple single-frequency inversion method, then it is possible, although illegal, to descramble their communications and proceed. If they are using something advanced such as DVP, DES, or Rolling Code then you will not be able to monitor the actual communications. You will still at least be able to note how often the frequency sees activity, and the signal strengths of the stations communicating. Voice encryption is often subject to failure, and you might catch a station operating in the clear if you monitor long enough.
At this point, you have all the immediate characteristics of the unid noted down. The rest is just a matter of time.
The remaining questions you have in identifying the user are:
A How many stations do you hear? A How do they identify themselves? A Signal strength of stations communicating? . What are they talking about?
All these will eventually answer the main question, Who am I listening to? The best thing to do at this point is take a receiver and dedicate it to the given frequency. You can acquire basic 16-50 channel scanners for under $100 at flea markets, pawn shops, and hamfests for this purpose. If you want 24 hour monitoring of the frequency, attach a VOX-operated tape recorder to the scanner. Many scanners come equipped with a tape out jack for easy connection. Otherwise, go to Radio Shack and pick up one of the suction cup telephone microphones. This is attached to a telephone receiver by the earphone to record phone calls. Attach it near the speaker of the scanner.
Experiment to find the best place to attach it to the scanner. For those of you who really want to get into things, Bill Cheek's Scanner Modification Handbooks contain a wealth of information on modifying your scanner to make SIGINT easier. You can add event counters to see how many times the frequency breaks squelch, time-stamping for monitored communications, and a whole host of other enhancements.
You will be able to initially discern IDs used on the frequency and the signal strength (even if approximate) of the stations on the net. You will also know what they are saying if it's in a language you can understand, although you might get a little tripped-up on any specialized jargon. Log it all down. Eventually you'll also be able to recognize the voices of the various people on the frequency, and match them to IDs. The signal strength of each user will tell you how approximately how far away they are from your location, and whether they are base or mobile/portable stations. Consistent signal strength will indicate a base station or repeater. Mobile and portable stations will have varying signal strengths and often mobile flutter on their signal.
When listening to an unid with the intent of identifying it, two things you should listen for are locations, and specialized trade jargon. They can be cross-referenced to assist in identifying the user. Street maps of your nearby locales are good reference to have. I don't advocate call chasing , going to the site of an incident that you've heard on your scanner. This can be dangerous, and complicates matters for public safety personnel who are working the incident. If, however, you've determined you are listening to an obviously civilian unid on a trunked system or community repeater who was just sent on a service call to a location that's a few blocks away from you, it would be a different matter. It would be worthwhile to take the dog for a quick walk to see whom you are listening to. On another note, information you discover on community repeaters or trunked systems is transitory in nature. The talkgroup or PL may belong to a different business next month.
If you listen long enough and pay attention to the communications you are receiving, you will identify the user. The amount of time will vary with the nature of the user, and how often they are on the air. Once you identify the user, the rest is up to you. You can become quite intimate with the operations of a business by monitoring their communications. Monitoring local public safety communications will often give you a better handle on what's going on in your community than the local newspaper. The possibilities are endless. As an intellectual exercise your SIGINT endeavors will be delving into such diverse areas as electronics, geography, sociology, research skills, and current events. At any rate, SIGINT analysis is far better a pastime than sitting in front of the television.
(although having CNN running in the background while you're working on something is a good idea). Chances are, you'll have some questions regarding communications systems or activities in your locale that could be answered by using SIGINT analysis. Some questions that might come to mind are:
Who are the users of local community repeaters and SMR systems? What are high crime areas in my community?
What are the most common crimes in my community? What is the reliability of the local utility infrastructure (electrical, telephone, CATV, gas)? x is obviously employing radio communications, but no license is listed for them. What's their frequency? What frequencies and /or radio systems are the local public safety agencies using other than their publicly listed ones?
This article just scratches the surface of an activity that could easily take up a several book series. The best way a beginner can start is to just do it. Pick something, like a local community repeater or SMR system, and see how much information you can acquire on it. You might have some specific questions regarding a communications user or system you already have some information on, which you can go investigate. You might even be interested in something non-technical, such as crime statistics in your local community. Whatever your specific interest, remember that patience and persistence is a good thing, and will reap dividends far above and beyond your initial investment.
Communications Monitoring Notes • In most places, some form of emergency medical services dispatch is done on 462.950 and 462.975 MHz. which are also known respectively as MED-9 and MED- 10. Due to the myriad of commercial ambulance services and community EMS agencies all using different radio systems, the MED channels will probably remain analog FM for some time. In most medium-sized and larger cities, there is a constant stream of traffic on EMS channels. Most of it consists of routine calls. • Due to the variety of communications systems that could be used by various public safety and emergency services agencies in a region, mutual-aid, interoperability, and emergency management agency frequencies are generally analog and unencrypted. These frequencies generally remain unused unless there is a major incident occurring, so they good indicator frequencies. • Volunteer fire departments and ambulance corps whose members carry voice pagers will have their dispatch channel analog and unencrypted. This is because members also have scanners in addition to their pager that they listen to for call-outs. Fire departments in general have been slow to adopt P25. • Fire departments are a useful monitoring target as the frequencies are only active when something is happening, and they are first responders to any disaster situation. Many areas maintain a regional/county dispatch center that handles all departments in a locale on a common frequency. Mutualaid/intercity frequencies are useful for indications of incidents requiring multiple department response. Response and mitigation operations are often moved off to tactical/"fireground" frequencies. • VHF aeronautical and marine band frequencies are analog and unencrypted. They are often a good indicator of an incident involving aircraft and nautical craft. The two primary frequencies of interest are the aviation emergency/”Guard” channel of 121.500 MHz. and Marine Channel 16, which is the calling and emergency frequency, at 156.800 MHz. • Many bus and taxi companies still operate on conventional analog systems. They are useful for indications of incidents on the roads. Taxi drivers are especially known for making various comments over the air about interesting things they see on the road. Taxi companies in urban areas are often concerned with their calls getting stolen by the competition, so encryption and the use of mobile data services is not uncommon. • Public works departments and utility companies generally consist of routine traffic until something happens. Then they are full of information about disaster response, and services recovery. I personally find that the routine traffic of utility companies provides an interesting picture of the local infrastructure. Public works departments and utilities are required monitoring after many types of heavy weather. Public works departments are generally slow to upgrade their equipment, and often reuse surplus radios from their municipality's police and fire departments. This means that in most cases you'll be able to monitor them with you basic analog, non-trunking police scanner. While FCC licenses can be looked up for specific localities, they traditionally operate in the following frequency ranges: 33.20 – 33.10 MHz. (20 KHz. spacing) 37.90 – 37.98 MHz. (20 KHz. spacing) 39.06 – 39.98 MHz. (20 KHz. spacing) 45.00 – 46.00 MHz. (20 KHz. spacing) 47.00 – 47.40 MHz. (20 KHz. spacing) 150.9950 – 151.1375 (7.5 KHz. spacing) 153.7400 – 154.1225 (7.5 KHz. spacing) 154.9850 – 155.1525 (7.5 KHz. spacing) 155.7150 – 156.2400 (7.5 KHz. spacing) 158.745 – 159.2025 (7.5 KHz. spacing) 453.0000 – 454.0000 (12.5 KHz. spacing – Paired with mobiles at 458.0000- 459.0000 MHz.) • Most utility services in the US, especially in rural areas, are still on VHF low-band due to having a need to communicate over distant regions. This enables you to monitor a large area with just a few frequencies, provided you have an adequate antenna. Try searching through these frequency ranges: 37.46 - 37.86 MHz. (20 KHz. spacing) 47.68 - 48.54 MHz. (20 KHz. spacing) 153.4100 - 153.7325 MHz. (7.5 KHz. spacing) 158.1300 - 158.2725 MHz. (7.5 KHz. spacing) 451.0000 - 452.0000 MHz. (12.5 Khz. spacing - Paired with mobiles at 456.0000 - 457.0000 MHz.) • Police departments are probably the least desirable monitoring target. Many agencies are sensitive to being monitored and are encrypting their system. Even on unencrypted systems, most of the radio traffic is mundane. Your best bets for PD monitoring before and during a disaster are the interoperability and mutual-aid frequencies as they are only active during a major incident. • If your police department is running encryption, monitor the frequencies used for car-to-car, surveillance, and repeater input. If the usage for specific frequencies is unknown, monitor what's listed for mobile/portable operation in their FCC license. You may not be able to hear what's being said, but you will at least have an indication something is going down in your neighborhood when you hear traffic. Also keep in mind that encryption sometimes fails or gets accidentally shut off. • The Internet is a great source for scanner frequencies. A quick Google search should find what you need, or check the frequency database at RadioReference.com
Area of Interest For Sector searches
The following frequency ranges show a very high potential for sector searches:
*When conducting sector searches, limit frequency search to a span covering no more than 3 - 5 seconds.
*Perform a sector search on a particular area of spectrum for a period of no less than 1 week.
*Perform the sector search at various times of the day/night when possible.
*Note CTSS, DCS, or NAC codes.
*Note down all trunked system control channels. Perform system analysis with Unitrunker or other software on all systems discovered.
*National Guard units have interoperability with statewide communication systems. Often they operate primarily on a statewide trunked system.
*The following frequency ranges are used by both active duty and reserve component military units: 30-88 Mhz - Land in particular: 30-30.55Mhz 32-33 Mhz 34-35 36-37 38-39 40-42 46.6-47 49.6-50 138-144Mhz - Land and Aircraft 148-150.775Mhz - Land 162-174Mhz - Land (shared with federal agencies) 225-380 - Aircraft 380-420Mhz - Land (400-420Mhz shared with federal agencies)
*Frequency hopping Spread Spectrum and encryption is used on the 30-88 Mhz bands. *P25, trunked radio systems and encryption is used on VHF high band and UHF bands. *Due to a lack of open source frequency data in many areas, the use of sector searches will be required to determine frequencies used in a particular A/O. *Panoramic spectrum display receivers such as the RTL-SDR waith SDR# are an inexpensive and useful tool when performing sector searches. *Use of OSINT, such as media coverage re:Jade Helm, is useful in determining optimum time for performing sector searches. *During band openings VHF-Low (30-88Mhz)reception at distances in excess of 1000 miles is possible. *Military 30-88 Mhz signals will have a CTSS 9PL0 tone of 151.4 (150)Hz.
-------------------- "The time for war has not yet come, but it will come and that soon, and when it does come, my advice is to draw the sword and throw away the scabbard." Gen. T.J. Jackson, March 1861 Posts: 15961 | From: A 059 Btn 16 FF MSC | Registered: Oct 2001
Building your own Signals/Communications Intelligence(SIGINT/COMINT) capabilities is one of the cornerstone messages of this blog- trust me, you’re going to be doing a lot more listening, interception and analysis than you will be doing shooting.
Along the way, I’ve learned quite a bit about communications and communications intelligence, from a humble teenage beginning with a Radio Shack CB, K40 mag mount, and a RS Pro-96. Everyone starts somewhere.
Where to Begin
Listening is 2x more important than talking. Your first purchase should be a general purpose scanner. Poke around Radio Reference, searching your area code, to find out what type of modes local emergency services are running. If it’s digital, such as APCO/P25, you’ll need a digital scanner. Yes, they are kinda pricey. Poke around though, they can be found fairly affordably(~$200) if you look hard enough. Most of the models built in the past 10 years have a feature known as “close call”, which switches the receiver directly to the frequency transmitting closest to the scanner. This is a nice feature that definitely will come in handy. Don’t discount the older non-digital sets; they have plenty of uses for monitoring traffic other than emergency services, including the license free bands, Marine band VHF near water ways, and air traffic.
Have a Shortwave Receiver. Shortwave broadcasts sit sandwiched within the Amateur HF bands. They range from broadcasts from fringe elements to international news. If you didn’t already know, domestic US news is highly condensed and biased towards a marxist agenda, normally offering a “version” of events that are contrary to the facts. At the minimum, you’ll receive the other side of the story. The set pictured is the venerable GP-5, it receives both AM and SSB, the mode which most Amateur traffic is transmitted. The cost is about $80; you should have one. Have a look around HF Underground, a neat forum that logs Shortwave broadcasts, commercial, pirate, and numbers stations. These are clandestine broadcasts that send encrypted messages via OTP and are intriguing to listen to. For all of you that continuously refer to One Time Pads as the solution to every single crypto need, you’ll get an idea of how they’re done in the real world.
Getting more advanced- Field Worthy Kit
Invest in a Wideband Communications Receiver. These may seem redundant at first; they both scan and receive Shortwave traffic. Like any jack of all trades, they are a master of…well, a few. These are actually much more suitable to use in the field than either of the aforementioned devices. Sometimes referred to as bubba detectors, they’re great for monitoring common FRS/GMRS/MURS traffic used by the uneducated. Most on the market are fairly ruggedly built, and several higher-end HTs also include wideband receiver features, to varying degrees. Personally, I like having a separate device to listen with than communicate with.
The model pictured is an Alinco DJ-X11, which receives all modes including SSB, and has a hidden transmitter(“bug”) detector built in. Both AOR and Icom build compact models as well(AR-Mini and R5/6, respectively), that are both excellent values at around $160 new. The Alinco is around $320, but the addition of SSB reception means it can receive HF amateur traffic as well as Shortwave like the others can. I greatly value the ability of my gear to be as redundant as possible.
Other sets can serve this purpose adequately as well; the Yaesu 817 makes a decent enough receiver on its own. As I stated, I’m not a huge fan of putting all my eggs in one basket, but knowing that your equipment can wear many hats is always nice and becomes a force multiplier at otherwise inopportune times.
A portable Yagi Antenna. Your signal collection team is not complete without one. Most folks use these to “beam” transmissions towards certain azimuths, and that’s a definite consideration for communications, but it also listens much better in the direction of which its pointed; giving a rough bearing on the direction of which a transmission is originating.
This makes not only listening to bubba but finding out where bubba is much easier. Coupled with the directional communications capability, this is a piece of kit that a clandestine team should not leave the wire without. They’re also relatively simple to homebrew. On these notes, your individual kit is not complete without a compass; without the ability to get a decent bearing, you’re wasting your time. “Over yonder somewhere” ain’t gonna cut it in a formal intelligence report.
An all-weather notebook to write down what you hear and not have it get ruined if it gets wet. Without the means to copy what you hear, including call signs or other identification, type of traffic, type of voice or mode(male/female/CW/Digi, etc), and azimuth,you’re listening for nothing. Remember that this information will go into a detailed SALUTE report, and the more detail offered the better the results will be in the end. The more detail you can give to an analysis cell, the more effective your operations will be later on. Included in your notebook should be a simple band plan and detailed info on past positive ID’d signals; the ability to quickly identify signals, possible sources, and previous users will make life much easier on the interception end. In addition, information on antenna lengths and types should be included to help positive ID targets and their equipment. Again, the more details you can include, the better off the mission will be.
SIGINT/COMINT Teams in the Field
The Army’s Intelligence Units break down SIGINT guys into teams which collect signals known as Low Level Voice Intercept, or LLVI for short. This skill set is so important that Special Forces include what’s known as SOT-As, which like their LLVI cousins, collect signals intelligence in small teams on the ground, reporting their findings to an analysis cell. Both are typically composed of four men; two buddy teams switching off to keep continuous surveillance on a target. It’s boring and repetitive, but it’s critical, hence why it takes very disciplined soldiers to competently complete the tasks.
A clandestine setting, like an overt setting, postures a small team shadowing other elements for other purposes. Like cogs in a machine, they’re just one piece, but when they don’t function, the machine may not run. In addition, a lost or compromised signal team is a huge detriment; in addition to the lost time it takes to train, it also compromises your capabilities. Your men have to be among the best in your formation, bar none.
You should be doing this now-
Signals and interception training, unlike shooting or bushcrafting, can be done anytime, anywhere, and besides the cost of equipment, is free. It’s low profile, and likely no one is going to call the police if you’re doing it in public. The only way to get good at it is through practice.
You can keep hoping for miracles or begin making your own.
Creating a Signals Collection Section from scratch
I’ve talked about this before; the need for Signals Collection and Analysis is EXTREMELY important. No, it may not be a sexy AR-15 or actions-on kinda deal, but it’s value is many times more important.
What you need at a minimum:
4 motivated guys, with a bit of radio experience Noise cancelling headphones 3, at a minimum, devices capable of scanning a large portion of the spectrum At least one scanner P25 digital capable A standalone scanner antenna Your Data Book https://brushbeater.wordpress.com/2015/10/28/data-books/ A notebook and pen
-------------------- "The time for war has not yet come, but it will come and that soon, and when it does come, my advice is to draw the sword and throw away the scabbard." Gen. T.J. Jackson, March 1861 Posts: 15961 | From: A 059 Btn 16 FF MSC | Registered: Oct 2001
The Role of Intelligence in Small Tactical Teams
What is Intelligence
Intelligence, in the context of this discussion, is the act of reducing uncertainty. For militias, neighborhood protection teams, mutual assistance groups and other small groups, intelligence is crucial in economy of effort.
“Economy of effort” is essentially “getting the most bang for your buck.” Imagine the mission of: “Protect your home from looters after the storm”. Without any information, you don’t know where to focus observation, what to plan for, etc…. As we develop intelligence, we can reduce uncertainty, and better defend your home. If you know that the most likely looters will be young disenfranchised Swedish immigrants from the housing projects north of your neighborhood, you can be aware of what to look for. If you know the terrain of your area, then you can determine that the Swedish looters will come from one or two avenues of approach. This allows you to focus your observation there. Etc…
While in “peacetime” or “DEFCON 4”, or “condition blue”, or whatever the operative term for “No immediate operations or threats,” there are a number of intelligence functions that should be carried out to be prepared for operations.
Intelligence Preparation of the Battlefield
One of the first tasks an intelligence section should carry out is Intelligence Preparation of the Battlefield (or IPB) In IPB, you determine the area of operations (AO), area of interest (AI), Map terrain features and determine lanes of movement, and avenues of approach. Where are obstacles, etc…
Sam Culper has an Amazon ebook (more like a pamphlet) on Amazon, called “intelligence preparation of the battlefield”, as well as his book “SHTF Intelligence” and website https://readfomag.com/ that goes into much more depth.
There is also the army field manual 34-130 Intelligence Preparation of the Battlefield.
Other tasks that go with the IPB phase include defining the human terrain(Demographics, and where are people based on culture, economics, politics, etc), mapping infrastructure such as rail lines, power lines, gas lines, substations, pumping stations, water treatment, etc, and if your group has a capable signals section, mapping radio users, towers, frequencies, modes, etc.
In addition to IPB, your intelligence section should be developing an intelligence database.
In times past, filing cabinets, folders and index cards were the tool of choice. These days the most popular setup is a “wiki” type database. (Wikipedia is the most well known wiki) In fact, the U.S. Department of Homeland Security uses a “wiki” database called “Intelliwiki” as their national set-up. Regardless of what format you use, you should be collecting information on influences in your AO.
Categories of influences are people, groups, gangs, organizations, companies, etc… Gaining thorough information on these influences helps to reduce uncertainty.
For example, knowing that Ludvig Karlsson is the leader of the local Swedish criminal gang, means that an intelligence section can keep tabs on him, to get an idea of gang activities, instead of trying to watch the whole gang. (An example of “economy of effort”)
Peacetime has ended, or you have gone to” DEFCON 3”, or “Condition Orange”, or whatever your group determines to be a heightened state of readiness. This elevation of readiness does not happen in a vacuum, it happens in response to something, and that “something” should help to define your intelligence requirements. Your group is going operational. At this point the intelligence section will start doing analysis, and in conjunction with leadership, determine priority intelligence requirements, (PIR’s), data gaps that need to be filled, developing human intelligence resources (aka spies and moles) within groups that you may have interest in, etc…
The who and what of this planning it this stage will be very dependent on your groups function and goals. A neighborhood protection team will be more interested in criminal gangs, and food supply, while a guerrilla/insurgent group will be more concerned with political groups and influences.
Analysis is the process of taking known information about situations and entities of strategic, operational, or tactical importance, characterizing the known, and, with appropriate statements of probability, the future actions in those situations and by those entities.
An excellent book to get started in understanding analysis is: Intelligence Analysis, a Target-Centric Approach
Whole college courses are taught on analysis, and this discussion can not possibly cover all the information needed just to get started.
To briefly encapsulate the analysis process, what is known, and what is reported is evaluated to rate the reliability of the data, then that information is modeled, with the different possible outcomes of actions. Most likely course of action and most dangerous course of action are considered. “Wargaming” and “Red Teaming” may be used to play out COA’s,
Once your group is actually conducting a mission, or operational, the duties of the intelligence section get added to. The most common responsibilities include tracking friendly forces, enemy forces, other groups, weather, looking for trigger events, and any changes in the assumptions that were made in the analysis and planning phase, and advising leadership on any changes in expected COA’s. Just because you are operational does not mean the planning, and pre-planning stop. In fact it is when things are most fluid that keeping IPB’s, Intel DB’s, and models up to date can be the biggest help.
Putting it all together Example 1: Neighborhood Protection Team
Background. Due to some un-named catastrophe, there is a break down in the rule of law. Government is non-functional, and your group is tasked with protecting the neighborhood from looters. You have done IPB, and built an intelligence database.
Defense of your location is the mission, so you develop some of the following PIR’s
Who are the most likely threats, and what are their capabilities and methods?
What is an indicator that a threat is imminent?
Because you have developed your intelligence database, you know that there are two criminal gangs that were functional during peacetime in your area. The Swedish gang is the biggest, and their leader, Ludvig Karlsson drives a tricked out red Volvo SUV. There is also a latino gang ran by someone called “El Hefe”. Many gang members have low-rider cars and compact pickups.
Because you have done a proper IPB, you know that there is only vehicle access to your neighborhood via 2 roads from the north. Travel on foot from the west is unlikely due to the swampy marsh on that side, and thick woods followed by another neighborhood to the south means that threat to you from that direction is unlikely without the southern neighborhood being attacked first. This knowledge allows to more economically marshal your resources to guard the two roads, and the exposed fields on the east. (This economy of effort, and you don’t totally discount the south and west, but you can devote significantly fewer resources to guarding them.)
A week into the catastrophe, you get a reliable report that a neighborhood 12 miles to the north of you was wiped out. The attackers are reported to have been Caucasian, and many were blond. A red tricked out Volvo SUV was seen. There were about 30 attackers. And they attacked around noon. They raped and looted, and killed everyone that was in the neighborhood, and then set it on fire.
A few days later a reliable report indicates that another neighborhood was attacked at night by about a dozen Hispanic looking men. They only looted, but did not hesitate to kill any who resisted. A low-rider pickup truck was cruising the area that afternoon.
A few days later, there is another report of a daylight raid and red Volvo SUV on one neighborhood that was burnt to the ground, and a night time raid by a Latino gang that happened after a low-rider pickup was seen in the area.
At this point we can “model” the behavior of the two gangs, and say that the most likely course of action by the Latino gang will involve a scout in a low rider pickup, and attack at night, while an attack by the Swedish gang will include a red Volvo SUV during the day.
We then determine that the most dangerous course of action (for us) is to be attacked by the Swedish gang, since they spare none, and burn everything to the ground. Being attacked by the Latino gang is also a dangerous course of action.
Knowing this we have a number of courses of action to consider, in order to make our plans.
Since you know that El Hefe is the leader of the Latino gang, you could specifically target him at his home (If you know where that is), but what will the gang do then? Will they escalate their violence? Is there a second in command that will step up and carry out the same raids? Or will they fall apart? It is okay to say “I don’t know.” In fact it is preferred. Guessing or making stuff up is a recipe for disaster. A proper analysis needs the facts and data weighted correctly to be useful.
Not knowing what will happen to the Latino gang if El Hefe is taken out leads leadership to conclude it is not worth the risk of sending people out of the protection of the neighborhood to make the hit. Instead, they conclude that an advanced observation post (OP) to watch for low-riders, and red Volvos is a better risk/reward.
Several weeks in, your OP radios in that a tricked out red Volvo SUV, followed by about nine other cars just passed the OP en route to your neighborhood, about six miles away. You sound the alarm, and your neighborhood protection team moves to a prepared ambush site one mile north of the neighborhood. When the Volvo convoy gets into the killzone, the ambush is executed.
After most of the convoy is wiped out, you find Ludvig Karlsson and some other Swedish gang members among the dead and injured, along with a number of weapons, molotov cocktails, and forced entry tools. Mission success (for now)
Even with the one threat eliminated, the Intel team cannot stand down. Will the Latino gang attack? Will another group move in, or fill the void left by the Swedish gang? Will any survivors of the Swedish gang try to retaliate? (Will they even know who wiped them out, since the ambush was away from the neighborhood?) These are all issues the intelligence section must continue to work on.
Now imagine if the neighborhood protection team did not have an intelligence section or person? The first hint of a raid would be when the raid happens. Most likely the neighborhood would have more casualties. They would not have the advantage of a well planned ambush, or early warning. Vehicles and houses would be damaged by the firefight. If molotovs are thrown, some houses may burn. If the defenders do not completely wipe out the Swedish gang, and they are driven back, they may come back for retribution. All a much more dangerous course of action.
Example 2: Intel in political action
Background: Your group is a state gun rights group trying to influence social and political action to remove current state firearms restrictions.
Your IPB will not focus on physical terrain, lanes of movement and avenues of approach, but instead focus on the human terrain. Where are the conservative and liberal neighborhoods? What areas of employment tend to have one political stripe work there? (For instance more liberals will work in the trendy hipster coffee shop section of town, while more conservative minded folks will be working in the industrial business park. ) Why does this matter? If you spend money on political advertising such as a billboard, putting one that resonates with conservatives in a conservative part of town is more effective than putting a conservative billboard in a liberal part of town.
Your database will have the politicians, their donors, businesses, and donor businesses. Other political activist groups (Both for and against), etc… This is used to leverage campaigns against the opponents donors and sponsors. A boycott of a gun grabbers major donor, may hurt their bottom line, and reduce their effectiveness.
Your analysis will focus on which groups to pressure, or what areas to market to will yield the biggest effect for political action. (Economy of effort again)
Example 3: Guerrilla / Insurgency
Background: You live in Dirka Dirka-stan, and due to the fact that the political establishment is so entrenched and in bed with big business, your attempts to peacefully effect the political process have failed, so your group decides to go kinetic.
Understanding the human terrain is essential!
There is a senator from Dirkafornia that is notoriously anti-rights and anti-gun. A lot of insurgents, if given the chance, would jump at the opportunity to kinetically remove the senator. However, if your intelligence section has done its homework, they may conclude that since the senator is from the city of Dirkfrancisco, that their likely successor will be just as bad as a gun grabber as the target. Additionally, we can model that after many political assassinations, there is a groundswell of sympathetic support for the deceased’s pet causes… so a kinetic action against the senator may actually produce the opposite of the desired effect, and get sympathy votes of “We should ban more guns, because that is what the senator would have wanted, in honor of them.”
Individual guerrilla actions may require an IPB for a specific action, such as an ambush or assasination. Analysis is needed to look at the courses of action for success and failures of the mission so that the risks can be weighed. What are the third and fourth order effects? Will there be blowback? By whom? What will the public reaction be?
Intelligence is an important task for small tactical teams. It can mean the difference between success or failure. It can prevent the waste of life and resources. It drives the missions!
In an Army Infantry Brigade there is an intelligence company of about 60 people devoted to the task, which include network and computer technicians, Human Intelligence collectors, Signals Intelligence collectors, exploitation teams, analysts, synchronization and collection management sections, linguists, cryptanalysts, imagery analysts, database technicians, and more. Additionally this company supports intelligence sections at brigade and battalion level.
This is a huge role to fill by one or couple of people that will make a small teams intelligence section. While you can not do everything a brigade intel company does, starting with the basics gets you a huge advantage over the unprepared.
-------------------- "The time for war has not yet come, but it will come and that soon, and when it does come, my advice is to draw the sword and throw away the scabbard." Gen. T.J. Jackson, March 1861 Posts: 15961 | From: A 059 Btn 16 FF MSC | Registered: Oct 2001